Sliver Command and Control Framework Unauthenticated DNS Session Flooding Vulnerability

A denial-of-service vulnerability has been identified in the Sliver command and control framework, prior to version 1.7.0. The issue arises in the DNS C2 listener, which accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when the EnforceOTP feature is enabled. This flaw allows an unauthenticated remote actor to repeatedly create sessions, leading to memory exhaustion. The vulnerability is present in versions through 1.6.11.

Impact

Exploitation of this vulnerability allows for unauthenticated remote denial-of-service conditions, causing resource exhaustion through unbounded session growth in the DNS bootstrap path. This leads to increased memory usage and potential service instability.

Reproduction

To reproduce this vulnerability, send repeated DNS queries to a reachable DNS C2 listener with a minimal protobuf message of type TOTP. This can be done using a DNS query loop that sends the TOTP payload as part of the DNS message. Monitor the Sliver server logs for repeated session allocation entries and observe the rising memory usage in the server process, which indicates resource exhaustion.

Remediation

Users can upgrade to Sliver version 1.7.0 or later, where this vulnerability has been fixed.